Get the Microsoft June patches applied, but watch out for Win7 NICs and old antivirus

Credit to Author: Woody Leonhard| Date: Mon, 02 Jul 2018 07:05:00 -0700

Windows 7 customers should be on the lookout for a couple of, uh, challenges this month, as the Win10 1803 trail of tears continues and Win10 1709 finally looks pretty solid.

First, the good news. If you installed last month’s Win7/Server 2008R2 patches and your network connections didn’t go kablooey, you’re almost undoubtedly OK to proceed with this month’s patches.

On the other hand, if you’ve been waiting to install patches on your Win7 or Server 2008R2 machine, you need to be aware of a bug that Microsoft has acknowledged. It was introduced by a patch back in March, according to the KB articles, and hasn’t been fixed yet:

Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

Workaround: 1.To locate the network device, launch devmgmt.msc; it may appear under Other Devices.

2. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.

a. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

That’s a bizarre, convoluted series of steps. Microsoft still hasn’t confirmed which third-party software is at fault.

If you’re worried that installing this month’s updates will clobber your network interface card, make sure you take a full backup before installing the updates. You can also take @GoneToPlaid’s advice and edit certain registry entries in advance.

Older Win7 machines don’t get no respect.

First, we had Microsoft’s decision to end support for Pentium III processors — an undocumented change accompanied by doctored KB articles that hide the promises that were made. The Microsoft blogosphere responded with a yawn: Even though Microsoft repeatedly promised to support the processors, they’re really old (vintage 2002). You shouldn’t be running Windows on old processors anyway.

Now there’s strong evidence that Windows Defender updates aren’t getting out. Günter Born has the details on his Born City blog, and Vess Bontchev confirms on Twitter:

Windows Update no longer updates Windows Defender on Windows 7 machines, yo. Last such update was on June 18. Nothing changed at my end firewall- or installation-wise. It’s Microsoft’s doing.

Just like the Pentium III, Windows Defender is ancient technology, baked into the original Windows 7, and long since superseded by the (free!) Microsoft Security Essentials, which does much more than Defender. Many older Win7 machines still run Windows Defender, though, and even though updates are being released by Microsoft, they somehow aren’t getting through. Speculation has it that Microsoft’s servers are broken.

When you apply Win7 updates this month, check to see if you have Windows Defender enabled and, if so, get Microsoft Security Essentials.

If you’re stuck in Win10 April 2018 Update — the notoriously buggy version 1803 — you need to get last week’s latest cumulative update, KB 4284848. It arrives with a servicing stack update, KB 4132650, which you only need to jiggle if you manually install updates.

Here’s what gets me about 1803. Microsoft declared it to be ready for business deployment six weeks ago. But if you listen to people who work with Windows all the time, it ain’t necessarily so. The same experts who tout the benefits of 1803 (of which there are few, if any) also come up with statements like “After I installed this month’s Surface firmware patches, 1803 is suddenly usable” and “The latest 1803 patches finally fixed so-and-so.”

1803 isn’t ready for prime time. If you want to beta-test 1803, go right ahead, but remember that you can roll it back, if you do so within 10 days of installing it. It appears as if the only way to avoid having your Win10 machine pushed to Win10 version 1803, is to use the metered connection kludge with wushowhide, which I discuss in How to block the Windows 10 April 2018 Update, version 1803, from installing. In addition, Pro/Enterprise users should set the feature update deferral (Step 3 in that discussion) to 365 days.

I don’t believe for a moment the Ad Duplex claim that 78% of all Windows 10 PCs are running version 1803. But the squeeze is on. 1703 and 1709 are both relatively stable. Win 8.1 remains the most stable Windows of all — most likely because Microsoft isn’t trying to “fix” it as much as the others.

Susan Bradley’s Master Patchlist shows that the June patches look clean, although the official Fixes or workarounds articles for Office include many specific problems and a few possible solutions.

Ready to take a chance on messing up your NIC? Here’s how to proceed. The patching pattern should be familiar to many of you.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’ve already installed any March, April or May updates, your network interface card should be immune to the latest slings and arrows. But if you haven’t been keeping up on patches, see the discussion in the “Win7/Server 2008R2 network card bugs continue” section above to protect yourself.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for June may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. If you’re going to install the June patches, accept your lot in life, and don’t mess with Mother Microsoft.

If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or  its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and spread your machine with garlic. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing equal to that pushed in Win10.

If you’re running Win10 Creators Update, version 1703 or version 1709 (my current preference), and you want to stay on 1703 or 1709 and not get sucked into the 1803 pre-release vortex, follow the instructions here to ward off the upgrade. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

Remember: If you want to avoid 1803, don’t click “Check for Updates” until you’ve gone through all the precautions listed in this article, including running wushowhide. If you forget, you may be tossed in the seeker heap and shuffled off to 1803 land.

If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn’t support you anymore.

If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.

To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @gborn, @GoneToPlaid, @Cybertooth and @MrBrian.

We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss